summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-09-29 06:44:33 +1000
committerAndrew Tridgell <tridge@samba.org>2010-09-28 19:25:50 -0700
commitf84bdf91d865ab176dcc0d829944821b89b88074 (patch)
treedb797ee743904ba8dfb4568cb3688bc647ccb3a0
parente2c305deb1553ab8ba11fa687dcf1c08f2acd88a (diff)
downloadsamba-f84bdf91d865ab176dcc0d829944821b89b88074.tar.gz
samba-f84bdf91d865ab176dcc0d829944821b89b88074.tar.bz2
samba-f84bdf91d865ab176dcc0d829944821b89b88074.zip
heimdal Use a seperate krb5_auth_context for the delegated credentials
If we re-use this context, we overwrite the timestamp while talking to the KDC and fail the mutual authentiation with the target server. Andrew Bartlett
-rw-r--r--source4/heimdal/lib/gssapi/krb5/delete_sec_context.c1
-rw-r--r--source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h1
-rw-r--r--source4/heimdal/lib/gssapi/krb5/init_sec_context.c34
3 files changed, 35 insertions, 1 deletions
diff --git a/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c b/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c
index b3d436ea01..e02a4c6a9f 100644
--- a/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c
@@ -59,6 +59,7 @@ _gsskrb5_delete_sec_context(OM_uint32 * minor_status,
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
krb5_auth_con_free (context, ctx->auth_context);
+ krb5_auth_con_free (context, ctx->deleg_auth_context);
if (ctx->kcred)
krb5_free_creds(context, ctx->kcred);
if(ctx->source)
diff --git a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
index d91670821a..6b9b03f349 100644
--- a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
+++ b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
@@ -55,6 +55,7 @@ struct gss_msg_order;
typedef struct gsskrb5_ctx {
struct krb5_auth_context_data *auth_context;
+ struct krb5_auth_context_data *deleg_auth_context;
krb5_principal source, target;
#define IS_DCE_STYLE(ctx) (((ctx)->flags & GSS_C_DCE_STYLE) != 0)
OM_uint32 flags;
diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
index fd9934a9e4..b513bd2d65 100644
--- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
@@ -117,6 +117,7 @@ _gsskrb5_create_ctx(
return GSS_S_FAILURE;
}
ctx->auth_context = NULL;
+ ctx->deleg_auth_context = NULL;
ctx->source = NULL;
ctx->target = NULL;
ctx->kcred = NULL;
@@ -139,13 +140,34 @@ _gsskrb5_create_ctx(
return GSS_S_FAILURE;
}
+ kret = krb5_auth_con_init (context, &ctx->deleg_auth_context);
+ if (kret) {
+ *minor_status = kret;
+ krb5_auth_con_free(context, ctx->auth_context);
+ HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
+ return GSS_S_FAILURE;
+ }
+
kret = set_addresses(context, ctx->auth_context, input_chan_bindings);
if (kret) {
*minor_status = kret;
+ krb5_auth_con_free(context, ctx->auth_context);
+ krb5_auth_con_free(context, ctx->deleg_auth_context);
+
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
+ return GSS_S_BAD_BINDINGS;
+ }
+
+ kret = set_addresses(context, ctx->deleg_auth_context, input_chan_bindings);
+ if (kret) {
+ *minor_status = kret;
+
krb5_auth_con_free(context, ctx->auth_context);
+ krb5_auth_con_free(context, ctx->deleg_auth_context);
+
+ HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
return GSS_S_BAD_BINDINGS;
}
@@ -160,6 +182,16 @@ _gsskrb5_create_ctx(
KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED,
NULL);
+ /*
+ * We need a sequence number
+ */
+
+ krb5_auth_con_addflags(context,
+ ctx->deleg_auth_context,
+ KRB5_AUTH_CONTEXT_DO_SEQUENCE |
+ KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED,
+ NULL);
+
*context_handle = (gss_ctx_id_t)ctx;
return GSS_S_COMPLETE;
@@ -538,7 +570,7 @@ init_auth_restart
ap_options = 0;
if (flagmask & GSS_C_DELEG_FLAG) {
do_delegation (context,
- ctx->auth_context,
+ ctx->deleg_auth_context,
ctx->ccache, ctx->kcred, ctx->target,
&fwd_data, flagmask, &flags);
}